oscar remote crash?

Mark Doliner mark at kingant.net
Mon Nov 7 00:36:26 EST 2011


I've attached my proposed patch for this.  I'm pretty happy with it,
but if anyone wants to double check, feel free.

The diff is against the im.pidgin.pidgin.2.x.y branch.  I changed the
four functions that parse incoming authorization-related SNACs.  The
changes are:
- Make sure we have a buddy name and it is valid UTF-8.  If not, we
drop the SNAC and log a debug message (we can't do much with an empty,
invalid or incorrect buddy name).  This wasn't a part of the bug
report and I doubt it's actually a problem, but it seems like a good
idea regardless.
- If the incoming message is not valid UTF-8 then use
purple_utf8_salvage() to replace invalid bytes with question marks.  I
believe this fixes the bug in question.

We should schedule the release of 10.0.1 soon.  It'll come from the
2.x.y branch, and include this fix as well as the previous fix to SILC
that Ethan committed.  I need to re-read those emails, as I'm not sure
we're happy that we've fixed enough invalid utf8 bugs (it would be
extremely time consuming to audit all our code, but maybe we're aware
of a few places that were problematic?  I don't remember).

--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_oscar_remote_crash_ticket_14682.diff
Type: text/x-patch
Size: 4656 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20111106/9bbdaabf/attachment.bin>


More information about the security mailing list